Git Extension Vulnerability in JupyterLab by Project Jupyter
CVE-2026-54528

7.1HIGH

Key Information:

Vendor

Jupyterlab

Vendor
CVE Published:
8 July 2026

What is CVE-2026-54528?

The JupyterLab Git extension previously exhibited a vulnerability that allowed authenticated users on case-insensitive filesystems to bypass excluded path restrictions. Specifically, the use of fnmatch.fnmatchcase() in handling excluded paths permitted attackers to manipulate URL path casing, enabling the reading of directories that should have been protected. This issue has been resolved in the 0.54.0 release of the extension, reinforcing access controls.

Affected Version(s)

jupyterlab-git < 0.54.0

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.